Alleged records of over 20 million BigBasket users surfaced online on the same hacking forum where cybercriminals were selling Mobikwik’s data. The database, which was leaked on Sunday, includes emails, names, hashed passwords, birthdates and phone numbers, among other order details.
Last year, in November, the CEO of the food delivery company, Hari Menon, had confirmed the data breach to Bloomberg and said a case had been filed with the cybercrime police. However, they were asked not to reveal any details.
The cybercriminal, who goes by the name of ShinyHunters, published the database link for free on the notorious forum.
Several forum members also replied on the thread stating that they had cracked millions of hashed passwords already.
The same person had also leaked the Upstox database earlier this month and suspended the download links citing that Upstox had paid the ransom. However, 2500 KYC samples are still accessible from that database. They’ve also leaked databases of Learnable.com as well as Wappalyzer.com, among others in the past.
Alon Gal, Co-founder and CTO at Hudson Rock, a cybercrime intelligence firm, who also goes by the @UnderTheBreach on Twitter, tweeted that the hashing used for passwords isn’t secure, and the passwords are essentially plaintext.
BigBasket users should immediately change their account passwords to ensure that no one else s able to access any more account details than what might’ve already leaked in the breach. Users should also consider changing their password on other platforms where they used the same login credentials.
Earlier this month, it was also discovered that vulnerabilities in Apple AirDrop’s authentication mechanism could potentially leak user data, including phone number and email address. In a separate incident, researchers found out that millions of devices worldwide were receiving malicious advertisement as more than 120 ad servers were compromised.